FROBENIUS PSEUDOPRIMES 1. Introduction Fermat's Little Theorem

Home , Fermat pseudoprime, Frobenius pseudoprime, Jacobi symbol, Lucas pseudoprime, Probable prime, Pseudoprime

MATHEMATICS OF COMPUTATION Volume 70, Number 234, Pages 873–891 S 0025-5718(00)01197-2 Article electronically published on March 1, 2000

FROBENIUS PSEUDOPRIMES

JON GRANTHAM

Abstract. The proliferation of probable prime tests in recent years has produced a plethora of definitions with the word “pseudoprime” in them. Exam- ples include pseudoprimes, Euler pseudoprimes, strong pseudoprimes, Lucas pseudoprimes, strong Lucas pseudoprimes, extra strong Lucas pseudoprimes and Perrin pseudoprimes. Though these tests represent a wealth of ideas, they exist as a hodge-podge of definitions rather than as examples of a more general theory. It is the goal of this paper to present a way of viewing many of these tests as special cases of a general principle, as well as to re-formulate them in the context of finite fields. One aim of the reformulation is to enable the creation of stronger tests; another is to aid in proving results about large classes of pseudoprimes.

1. Introduction Fermat’s Little Theorem tells us that ap−1 ≡ 1modp for p an odd prime; thus we have an easy way to prove that many numbers are composite. For example, since 290 ≡ 64 mod 91, we prove that 91 is composite. The technique of repeated squaring can be used to perform the required exponentiation very rapidly. This test is not foolproof. In particular, 2340 ≡ 1 mod 341. Composites which fool the test with a = 2 are called pseudoprimes, and in general, composites n with an−1 ≡ 1modn are pseudoprimes to the base a. The existence of such numbers provides incentive to create other tests which are similarly fast, but which may have fewer, or at least different, “pseudoprimes.” Two of these tests are more elaborate versions of the test described above and create the notions of Euler pseudoprime and strong pseudoprime. Most other tests, however, involve recurrence sequences. One reason that pseudoprimes based on recurrence sequences have attracted interest is that the pseudoprimes for these sequence are often different from ordinary pseudoprimes. In fact, nobody has claimed the $620 offered for a Lucas pseudoprime with parameters (1, −1) (see Section 2 for a definition of this term), congruent to 2 or 3 mod 5, that is also a pseudoprime to the base 2 [22], [14]. Furthermore, some tests based on higher order recurrence sequences seem to have few pseudoprimes. Adams and Shanks [2] introduced such a test based on a third order recurrence sequence known as Perrin’s sequence. A problem with tests based on recurrence sequences is that analysis of the tests can be difficult. For example, the concepts of Lucas and Lehmer pseudoprimes have been analyzed separately in the literature. In Section 2, we show that they are equivalent definitions.

Received by the editor January 6, 1998 and, in revised form, March 29, 1999. 2000 Mathematics Subject Classiﬁcation. Primary 11Y11.

c 2000 American Mathematical Society 873

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 874 JON GRANTHAM

Instead of recurrence sequences, the language used in this paper is that of finite fields. In particular, when n is a prime, f(x) ∈ Z[x], and n does not divide disc(f), the residue ring Z[x]/(n, f(x)) is a product of finite fields of characteristic n.When n is composite, this ring is not equal to such a product. For a given composite n,this fact is often easy to discover, thus providing a quick proof of the compositeness of n. Using properties of finite fields, we establish the definition of Frobenius probable prime, which is a generalization, and sometimes a strengthening, of many existing definitions. We introduce the concept of Frobenius pseudoprimes, not to inflict a new and different notion of pseudoprimality on the mathematical world, but to show that many existing pseudoprimality tests can be generalized and described in terms of finite fields. In fact, we show that some specific instances of the Frobenius pseudoprime test are equivalent to other pseudoprimality tests, and stronger than many of them. In [11], we use the structure given by the introduction of finite fields to show that the probability of error in declaring a number “prime” using a certain Frobenius 1 test is less than 7710 . In 1980, Monier [19] and Rabin [23] proved that the Strong 1 Probable Prime Test has probability of error at most 4 . Although the test introduced in [11] has asymptotic running time three times that of the Strong Probable 1 Prime Test, the proven bound on the error is much smaller than the 64 achieved through three Strong Probable Prime Tests. Perhaps the primary benefit of this approach is that instead of having to prove ten different theorems about ten different types of pseudoprimes, one can prove one theorem about Frobenius pseudoprimes and apply it to each type of pseudoprime. In [12], the techniques of [3] are used to prove that for any monic, squarefree polynomial, there are infinitely many Frobenius pseudoprimes. In particular, this theorem answers a 1982 conjecture of Adams and Shanks [2] that there are infinitely many Perrin pseudoprimes. It also proves the infinitude of the types of pseudoprimes defined by Gurak [13] and Szekeres [27]. We should note that the idea of primality testing in finite fields is not entirely new. Lenstra’s Galois Theory Test [17] is a method of proving primality using finite fields. In [10], I describe the relation between the two ideas. The combination of finite fields and pseudoprimes also exists implicitly in some other works, such as [27]. The goal here, however, is different. I am trying to provide a clear theoretical framework in which various existing probable prime tests can be generalized and analyzed.

2. A wealth of pseudoprimes For the purposes of this paper, the following test for primality will be considered foolproof. If an integer is denoted by the letter p,thenp is prime. If q is a prime power, we let Fq denote a finite field with q elements. We begin by reviewing many of the existing notions of pseudoprimality. Each of these definitions of “pseudoprime” characterizes composite numbers with a certain property. In each of these cases, it can be proven that all prime numbers (with a finite, known set of exceptions) have this property. This paper does not pretend to be an exhaustive treatment of all notions of pseudoprimality. For example, nothing is said about elliptic pseudoprimes [8].

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use FROBENIUS PSEUDOPRIMES 875

Fermat’s Little Theorem tells us that if p is prime, then ap−1 ≡ 1modp,ifp - a. The original notion of a pseudoprime (sometimes called a Fermat pseudoprime) involves counterexamples to the converse of this theorem. Definition. A pseudoprime to the base a is a composite number n such an−1 ≡ 1modn. Definition. Anumbern which is a pseudoprime to all bases a with (a, n)=1is a Carmichael number. (p−1)/2 ≡ a a We also know that if p is an odd prime, then a p mod p,where p is the Jacobi symbol. The converse of this theorem leads to the definition of Euler pseudoprime, due to Raphael Robinson [24]. Definition. An Euler pseudoprime to the base a is an odd composite number n (n−1)/2 ≡ a with (a, n) = 1 such that a n mod n. An Euler pseudoprime to the base a is also a pseudoprime to the base a. k If n ≡ 1 mod 4, we can also look at a(n−1)/2 for k>1, and doing so gives us the definition of strong pseudoprime [22], due independently to R. Dubois and John Selfridge. Definition. A strong pseudoprime to the base a is an odd composite n =2rs +1 t with s odd such that either as ≡ 1modn,ora2 s ≡−1 for some integer t,with r>t≥ 0. A strong pseudoprime to the base a is also an Euler pseudoprime to the base a [19], [22]. It is possible to define notions of pseudoprimality based on congruence properties of recurrence sequences. The simplest of these are based on the Lucas sequences Un(P, Q), where P and Q are integers, U0 =0,U1 =1andUn = PUn−1 − QUn−2. (When P =1andQ = −1, this is the Fibonacci sequence.) We recall the fact that we can express Un in terms of roots of the polynomial f(x)=x2 − Px + Q.Ifα and β are roots of f(x) in a commutative ring (with n n identity), with α − β invertible, then Un =(α − β )/(α − β). By induction on n, this equality holds even if there are more than two distinct roots of f(x). 2 Theorem 2.1. Let Un = Un(P, Q) and ∆=P − 4Q.Ifp - 2Q∆,thenU − ∆ ≡ p ( p ) 0modp. - 2 − F¯ Proof. Since p ∆, x Px+ Q has distinct roots, α and β,in p. ∆ F p−1 ≡ If p =1,thenf(x)factorsmodp,andα and β are in p.Thusα p−1 ≡ ≡ − − β 1mod p.SoUp−1 (1 1)/(α β)=0modp. ∆ − F If p = 1, then f(x) does not factor, and the roots of f(x) lie in p2 .The Frobenius automorphism permutes the roots of f(x), so αp ≡ β and βp ≡ α.Thus Up+1 ≡ (αβ − βα)/(α − β)=0modp. 2 Definition. Let Un = Un(P, Q)and∆=P − 4Q.ALucas pseudoprime with parameters (P, Q)isacompositen with (n, 2Q∆) = 1 such that U − ∆ ≡ 0modn. n ( n ) Baillie and Wagstaff [7] gave a version of this test that is analogous to the strong pseudoprime test. We first define the sequence Vn(P, Q) to be the sequence with n n V0 =2,V1 = b,andVn = PVn−1 − QVn−2.NotethatVn = α + β ,whereα and β are distinct roots of x2 − Px+ Q.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 876 JON GRANTHAM

2 Theorem 2.2. Let Un= Un(P, Q) and ∆=P −4Q.Letp be a prime not dividing r ∆ ≡ ≡ 2Q∆.Writep =2 s + p ,wheres is odd. Then either Us 0 or V2ts 0modp for some t, 0 ≤ t

2 − Deﬁnition. Let Un = Un(P, Q), Vn = Vn(P, Q), and ∆ = P 4Q.A strong r ∆ Lucas pseudoprime with parameters (P, Q)isacompositen =2s + n ,where s is odd and (n, 2Q∆) = 1, such that either Us ≡ 0modn or V2ts ≡ 0modn for some t,0≤ t

2 Theorem 2.3. Let Un = Un(b, 1),Vn= Vn(b, 1),and∆=b −4.Letp be a prime r ∆ ≡ not dividing 2∆.Writep =2 s + p ,wheres is odd. Then either Us 0modp and Vs ≡2modp,orV2ts ≡ 0modp,forsomet, 0 ≤ t

Proof. By Theorem 2.2, it suﬃces to show that V2r−1s 6≡ 0, and that if Us ≡ 0, then Vs ≡2. n −n 2 Note that Vn = α +α ,whereα is a root of x − bx +1. SoV2r−1 s ≡ 0modp r implies α2 s ≡−1. If ∆ =1,thenα ∈ F , and we have a contradiction. If p p ∆ − p ≡ −1 p+1 ≡ 6≡ − p = 1, then α α .Soα 1 1, and we also have a contradiction. s −s 2s If Us ≡ 0modp,thenα ≡ α mod p, and thus α ≡ 1. We must have s α ≡1, and thus Vs ≡2.

2 Deﬁnition. Let Un = Un(b, 1), Vn = Vn(b, 1), and ∆ = b − 4. An extra strong r ∆ Lucas pseudoprime to the base b is a composite n =2 s + n ,wheres is odd and (n, 2∆) = 1, such that either Us ≡ 0modn and Vs ≡2modn,orV2ts ≡ 0modn for some t with 0 ≤ t

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use FROBENIUS PSEUDOPRIMES 877 − LD Deﬁnition. Let D = L 4Q and (n)= n .ALehmer pseudoprime with ¯ parameters (L, Q)isacompositen with (2LD, n)=1andUn−(n) ≡ 0modn. Lehmer pseudoprimes can be analyzed by the same means as Lucas pseudoprimes, because of the following new result. Theorem 2.4. An integer n is a Lehmer pseudoprime with parameters (L, Q) if and only if it is a Lucas pseudoprime with parameters (L, LQ). Proof. Let D = L − 4Q be the discriminant of the Lehmer sequence. The characteristic polynomial of the Lucas sequence isf(x)=x2 − Lx + LQ, which has 2− discriminant L2 − 4LQ = LD.So(n)= L 4LQ .Therootsoff(x)are √ √ n L+ L2−4LQ L− L2−4LQ α = 2 and β = √ 2 . The characteristic√ polynomial of√ the Lehmer sequence is g(x)=x2 − Lx+Q. Its roots are α0 = α/ L and β0 = β/ L. (n−(n))/2 ¯ ¯ Thus L Un−(n) = Un−(n), and we conclude that Un−(n) ≡ 0modn if and only if Un−(n) ≡ 0modn. This proves the theorem. Rotkiewicz [26] has also given a deﬁnition of strong Lehmer pseudoprime.

Deﬁnition. Let U¯k be as in the deﬁnition of Lehmer pseudoprime. Let V¯n satisfy V¯0 =2,V¯1 =1,V¯k = LV¯k−1 − QV¯k−2 for k even, and V¯k = V¯k−1 − QV¯k−2 for k odd. Let (n) be as above. An odd composite number n =2rs + (n)isastrong Lehmer pseudoprime with parameters (L, Q)if(n, DQ) = 1 and either U¯s ≡ 0modn or ¯ V2ts ≡ 0forsomet with 0 ≤ t

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 878 JON GRANTHAM

In the past, the term Perrin pseudoprime has referred only to pseudoprimes with respect to Perrin’s original sequence, but we feel it is useful to have a convenient name for composites having an acceptable signature for other such sequences. Also, we have omitted a portion of the test involving quadratic forms. If n has an I-signature, it is possible to construct a quadratic form representing n.Aprime with an I-signature can only be represented by forms lying in a certain subgroup of the class group of quadratic forms with discriminant ∆. The only examples found where this portion of the test has exposed composites involve pseudoprimes very small compared to the discriminant of the associated polynomials. In fact, the polynomials were cleverly constructed specifically to have pseudoprimes which would be exposed in this way. In particular, there are no known examples where the quadratic form exposes a composite for the test using Perrin’s sequence. The test does not apply to integers with Q-signatures or S-signatures. The interested reader should consult [2] for details. Generalizations to higher order recurrence sequences have been given by Gurak [13]. His basic definition is shown below to be subsumed in the definition of Frobe- nius pseudoprimes. Later in his paper, he gives ideas as to how his test could be made stronger. He does not, however, give exact definitions of other notions of pseudoprimality. A nice variation on these tests is given by Szekeres [27].

Definition. Let f(x) be an irreducible polynomial in Z[x]andletβ1,...,βk be its roots. A pseudoprime (in the sense of Szekeres)isacompositen such that for every ∈ Z n n ≡ symmetric polynomial S(x1,...,xk) [x1,...,xk], S(β1 ,...,βk ) S(β1,...,βk) mod n. Szekeres does not test signatures and notes, “Signatures can be tested without much additional effort but they don’t seem to add significantly to the efficiency of primality testing through higher order Lucas sequences ... ”Healsodoesnotuse knowledge gained from Jacobi symbols in his test. Atkin has proposed a specific test based on arithmetic modulo polynomials; it shares some similarities with the test described in Section 3. He describes it fully in [6]. 3. Frobenius pseudoprimes In this section, we will be introducing the definition of Frobenius pseudoprime. This definition does not in and of itself solve any open questions in the subject. We do, however, aim to provide a clearer way of thinking about the definitions given in the previous section. Some open questions are solved in [11] and [12]. We first prove some elementary facts about polynomials over finite fields. In particular, we exploitQ the following fact. Given a polynomial f(x)ofdegreed, d we can factor it as 1 Fi(x), where each Fi(x) is the product of the irreducible polynomials of degree i dividing f(x). More precisely, we define these polynomials as follows. Let f0(x)=f(x). For pi 1 ≤ i ≤ d, define Fi(x)=gcd(x − x, fi−1(x)) in Fp[x]andfi(x)=fi−1(x)/Fi(x).

Theorem 3.1. Let p be an odd prime, and let f(x) be a monic polynomial in Fp[x] of degree d with discriminant ∆. Assume p - f(0)∆. 1) We have fd(x)=1,andforeachi, 1 ≤ i ≤ d, i| deg(Fi). p 2) For 2 ≤ i ≤ d, Fi(x)|Fi(x ).

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use FROBENIUS PSEUDOPRIMES 879 P 3) Let S = deg(F (x))/i.Then(−1)S = ∆ . That is, if ∆ =1,then 2|i i p p ∆ − S is an even integer, and if p = 1,thenS is an odd integer.

i Proof. 1) The polynomial xp − x is the product of all irreducible polynomials in Fp[x] with degree dividing i. Inductively, we see that   Y  pj µ(i/j)  Fi(x)=gcd (x − x) ,f(x) , j|i

where µ is the Möbius function. Thus Fi(x) is the product of all irreducible factors of f(x) of degree exactly i,andfi(x) is the product of the irreducible polynomials dividing f(x) with degree greater than i. Since ∆ =0,6 f(x) is squarefree,Q and since f(x) is equalQ to the product of its irreducible factors, f(x)= 1≤i≤d Fi(x), so fd(x)=f(x)/( 1≤i≤d Fi(x)) = 1. p 2) In fact, for any nonzero polynomial g(x) ∈ Fp[x], we have g(x)|g(x )since g(xp)=g(x)p. 3) The degree of Fi(x)isi times the number of irreducible factors of f of degree i.SoS is equal to the number of irreducible factors of f of even degree. d If f(x) is irreducible mod p,thend =deg(f)istheleastpowerwithαp = α, and the map α 7→ αp has order equal to d. Thus, that map is a generator of the Galois group of f over Fp. For all polynomials, the Galois group acts transitively on the roots of each irreducible factor of f over Fp.Thus,S gives the number of cycles of even length in the Frobenius automorphism. Cycles of even length are odd (and vice versa), so the parity of S determines whether the automorphism is odd or even. Since the discriminant is the product of the square of the differences of the roots of f(x), ∆ this parity is also determined by p . For a more detailed proof of this fact, see [15]. As an example, let f(x)=x4 +12x + 1. (It is irreducible over Q.) Let p = 89. We have x89 − x ≡ 59x3 +51x2 +20x +86mod(89,f(x)), so 3 2 F1(x)=gcd(f(x), 59x +51x +20x + 86) = x +78, 3 2 and f1(x)=x +11x +32x +8. 892 2 Since x − x ≡ 64x +86x +19mod(89,f1(x)), and 2 F2(x)=gcd(f1(x), 64x +86x + 19) = 1, 3 2 we have f2(x)=f1(x)=x +11x +32x +8. 893 Next, x − x ≡ 0mod(89,f2(x)), so F3(x)=f2(x)andf3(x)=1. Thus F4(x)=f4(x)=1. 89 2 2 Note that x ≡ 25x +x+59 mod (89,F3(x)). We verify that F3(25x +x+59) ≡ 0mod(89,F3(x)). − −559616 Finally, the discriminant of f(x)is 559616. 89 = 1, which agrees with the fact that S =0. We would like to define any composite with satisfies the consequences of this theorem to be a type of pseudoprime, but we may run into a problem when we take the gcd of two polynomials modulo a composite, since we are working over a ring that is not a domain.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 880 JON GRANTHAM

With this in mind, we consider the following deﬁnition.

Deﬁnition. Let f(x),g1(x),g2(x) be monic polynomials over a commutative ring (with identity). We say that f(x)isthegreatest common monic divisor (gcmd)of g1(x)andg2(x) if the ideal generated by g1(x)andg2(x) is equal to the ideal generated by f(x). We write f(x)=gcmd(g1(x),g2(x)). (Note that gcmd(g1(x),g2(x)) does not necessarily exist.)

Clearly if gcmd(g1(x),g2(x)) exists, it is a common monic divisor of g1(x)and g2(x) of greatest degree. Further, it is not hard to show that the gcmd is unique. The gcmd has the following additional property.

Proposition 3.2. Let p|n,andletg1(x),g2(x) be monic polynomials in Z[x].If f(x)=gcmd(g1(x),g2(x)) in (Z/nZ[x]),thenf(x) ≡ gcd(g1(x),g2(x)) mod p, where the gcd is taken in (Z/pZ)[x].

Proof. For i =1, 2, we have that gi(x) ≡ ki(x)f(x)modn,forsomeki(x) ∈ Z[x]. Thus f(x)|gi(x)in(Z/pZ)[x]. We have that f(x) ≡ g1(x)h1(x)+g2(x)h2(x)modn for some h1(x),h2(x) ∈ Z[x]. Thus f(x) ≡ g1(x)h1(x)+g2(x)h2(x)modp, and by the deﬁnition of gcd, f(x)=gcd(g1(x),g2(x)) in (Z/pZ)[x].

Corollary 3.3. If gcmd(g1(x),g2(x)) exists in (Z/nZ)[x], then for all p dividing n, gcd(g1(x),g2(x)) has the same degree. Proof. Since the leading coefficient of the gcmd is 1, that coefficient is the leading coefficient of all the gcds, by Proposition 3.2. Thus, they all have the same degree.

Proposition 3.4. Assume, for each p|n, gcd(f(x),g(x)) = 1 in Fp[x].Then gcmd(f(x),g(x)) = 1 in (Z/nZ)[x]. Proof. By the Chinese Remainder Theorem, it suﬃces to prove that the gcmd of f(x)andg(x)is1in(Z/pjZ)[x] for any integer j ≥ 1. We proceed by induction. We know that there exist polynomials a1(x), b1(x), and k1(x) such that f(x)a1(x)+ g(x)b1(x)=1+pk1(x). Assume that there exist polynomials aj(x), bj(x)andkj(x) j with f(x)aj (x)+g(x)bj (x)=1+p kj (x). Multiplying by pk1(x), pf(x)aj(x)k1(x)+ j+1 pg(x)bj(x)k1(x)=pk1(x)+p k1(x)kj (x). Substituting for pk1(x),

pf(x)aj(x)k1(x)+pg(x)bj(x)k1(x) j+1 = −1+f(x)a1(x)+g(x)b2(x)+p k1(x)kj (x). Rearranging, j+1 f(x)[a1(x) − paj(x)k1(x)] + g(x)[b1(x) − pbj(x)k1(x)] = 1 + p [−k1(x)kj (x)]. Thus we have shown that gcmd(f(x),g(x)) = 1 in (Z/pj+1Z)[x], and the proposition is proven. The concept of gcmd would not be useful in the context of this paper if it were difficult to calculate. We have the following result, which aids us in testing primality. Proposition 3.5. The Euclidean algorithm will either find the gcmd of two monic polynomials in (Z/nZ)[x] or find a proper factor of n.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use FROBENIUS PSEUDOPRIMES 881

Proof. The Euclidean algorithm will only fail to finish if one of the divisions fails due to the leading coefficient of a non-zero remainder being non-invertible. This coefficient will have a gcd with n that is a nontrivial factor of n. If the Euclidean algorithm terminates (i.e., one of the remainders is zero), we have inductively that the last non-zero remainder is a divisor of the two polynomials and can be written as a linear combination of the two. The proof is the same as the proof of correctness of the Euclidean algorithm over Fp[x]. Since the leading coefficient of the last non-zero remainder is invertible, this remainder can be made monic by division, and we find the gcmd.

Deﬁnition. Let f(x) ∈ Z[x] be a monic polynomial of degree d with discriminant ∆. An odd integer n>1issaidtopasstheFrobenius probable prime test with respect to f(x)if(n, f(0)∆) = 1, and it is declared to be a probable prime by the following algorithm. (Such an integer will be called a Frobenius probable prime with respect to f(x).) All computations are done in (Z/nZ)[x].

Factorization Step. Let f0(x)=f(x)modn.For1≤ i ≤ d,letFi(x)= ni gcmd(x − x, fi−1(x)) and fi(x)=fi−1(x)/Fi(x). If any of the gcmds fail to exist, declare n to be composite and stop. If fd(x) =6 1, declare n to be composite and stop.

n Frob enius Step. For 2 ≤ i ≤ d, compute Fi(x )modFi(x). If it is nonzero for some i, declare n to be composite and stop. P Jacobi Step.Let S = 2|i deg(Fi(x))/i. − S 6 ∆ If ( 1) = n , declare n to be composite and stop. If n is not declared to be composite by one of these three steps, declare n to be a Frobenius probable prime and stop. The Factorization Step produces a “distinct degree” factorization when n is prime. It may be of some interest to apply algorithms that factor the polynomials completely, thus developing deﬁnitions for Berlekamp and Cantor-Zassenhaus probable primes. The Cantor-Zassenhaus algorithm shares ideas with the “strong” Frobenius probable prime test of Section 5. Berlekamp’s algorithm has two forms, one deterministic and one probabilistic. The deterministic version has running time proportional to n, so it is too slow to be used in primality testing. The probabilistic version is fast, but since it is signiﬁcantly more complicated than most existing probable prime tests, we omit consideration of it here. Corollary 3.6. Every odd prime p is a Frobenius probable prime with respect to any monic polynomial f(x) such that p does not divide f(0)∆. Proof. Immediate from Theorem 3.1.

Deﬁnition. Let f(x) ∈ Z[x]. A Frobenius pseudoprime with respect to a monic polynomial f(x) is a composite which is a Frobenius probable prime with respect to f(x).

4. The relation of Frobenius pseudoprimes to other pseudoprimes Theorem 4.1. An odd integer n is a pseudoprime to the base a if and only if it is a Frobenius pseudoprime with respect to the polynomial f(x)=x − a.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 882 JON GRANTHAM

Proof. First, assume n is an pseudoprime to the base a.Thus,an−1 ≡ 1modn. Since ∆ = 1, (n, f(0)∆) = (n, a) = 1. Because (x − a)|(xn − an)andan − a =0 in (Z/nZ)[x], we have (x − a)|((xn − an)+(an − a)+(a − x)) or (x − a)|(xn − x). Therefore, F1(x)=x − a,andf1(x)=1,son passes the Factorization Step. Since ∆ 1 d = 1, the Frobenius Step is vacuous. Note that S =0and n = n =1,son passes the Jacobi Step. Therefore n is a Frobenius pseudoprime. Now, assume n is a Frobenius pseudoprime with respect to x − a.Inorder to have f1(x)=1,wemusthaveF1(x)=x − a. So by the Factorization Step, (x − a)|(xn − x). Since (x − a)|(xn − an), (x − a) divides an − a. Since the latter is a constant and x − a is monic, an − a must be 0 in (Z/nZ)[x]. So an ≡ a mod n. Since (n, f(0)∆) = (n, a)=1,wehavean−1 ≡ 1modn.Thusn is a pseudoprime to the base a. In fact, a more general result can be proven: a Frobenius pseudoprime with respect to f(x) is a pseudoprime to the base f(0). The idea for the proof can be found in [13], Corollary 1. We first need to prove a lemma about polynomials mod pk. Lemma 4.2. Let g(y) be a polynomial in Z[y],irreduciblemodp.Letf(x) be a polynomial in Z[x] with p - disc(f).Iff(x) has d roots in (Z[y]/(p, g(y)))[x],then it has d roots in (Z[y]/(pk,g(y)))[x] for k a positive integer. Proof. By Hensel’s Lemma, a root mod p lifts to exactly one root mod pk,since the discriminant of f is non-zero mod p. Hensel’s Lemma applies to any finite field of characteristic p. Theorem 4.3. Let f(x) be a monic, squarefree polynomial in Z[x].Ifanodd integer n is a Frobenius pseudoprime with respect to f(x), then it is a pseudoprime to the base f(0). Proof. It suffices to prove f(0)n ≡ f(0) mod pk for every prime power pk|n. Let d be the degree of f(x). There exists an extension field of Fp, Fp[y]/(g(y)), in which f(x) splits completely. The d roots must be distinct, since n is coprime to the discriminant of f(x). Thus there are d distinct roots of f(x)inZ[y]/(pk,g(y)), by Lemma 4.2. 7→ n Call the roots y1,y2,...,yd. Consider the map yi yi . By the Frobenius Step, d−1 n n this map sends each root to another root. By the Factorization Step,Q (yi ) Q = yi, d d n so theQ map is invertible. Therefore, it permutes the roots. Thus i=1 yi = i=1 yi . d ≡ − d − d ≡ − d n k But i=1 yi ( 1) f(0) mod p,so( 1) f(0) (( 1) f(0)) mod p . Simplify- ing, we see that f(0)n ≡ f(0) mod pk for each pk|n.Thusn is a pseudoprime to the base f(0). Theorem 4.3 can be used, in conjunction with results about the distribution of pseudoprimes to the base a, to give an upper bound on the number of Frobenius pseudoprimes with respect to a given polynomial f(x). Corollary 4.4. Let f(x) ∈ Z[x] be a monic polynomial with nonzero discriminant. If |f(0)|6=1, then the number of Frobenius pseudoprimes with respect to f(x) up to y is less than y1−log log log y/2loglogy,fory sufficiently large, where “sufficiently large” depends only on |f(0)|. Proof. Immediate from Theorem 4.3 and [21].

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use FROBENIUS PSEUDOPRIMES 883

When |f(0)| = 1, it is possible that all integers are Frobenius pseudoprimes with respect to f(x), such as if f(x)=x−1. In fact, we conjecture that for every monic, squarefree polynomial f(x), not the product of cyclotomic polynomials, the bound of Corollary 4.4 holds. For quadratic polynomials, the conjecture follows from [9]. Theorem 4.5. If a, b are integers, f(x)=(x − a)(x − b),andn is a Frobenius pseudoprime with respect to f(x),thenn is a pseudoprime to both bases a and b. ∆ Proof. Since f(x) factors, its discriminant must be a square, so n = 1. Therefore n F2(x)=1andF1(x)=f(x) by the Jacobi Step. Since f(x)|(x − x), we have (x − a)|(xn − x). Therefore, as in the proof of Theorem 4.1, we conclude n is a pseudoprime to the base a and, similarly, base b. Theorem 4.6. If f(x),g(x) ∈ Z[x] with (n, disc(fg)) = 1 and n is a Frobenius pseudoprime with respect to f(x) and g(x), then it is a Frobenius pseudoprime with respect to f(x)g(x).

Proof. Let h(x)=f(x)g(x). Let fi(x),gi(x),hi(x)andFi(x),Gi(x),Hi(x)bethe polynomials produced in the Factorization Steps for f(x),g(x),h(x), respectively. If a polynomial is not defined in that step (e.g., fd+1(x), if f(x) has degree d), define it to be 1. We will show by induction on i that hi(x)=fi(x)gi(x)andHi(x)=Fi(x)Gi(x). We have that h0(x)=h(x)=f(x)g(x)=f0(x)g0(x). Assume that hk−1(x)= nk fk−1(x)gk−1(x). By definition, we have Hk(x)=gcmd(x − x, hk−1(x)), should this gcmd exist. Since Fk(x)|fk−1(x)andGk(x)|gk−1(x), Fk(x)Gk(x)|hk−1(x). Because gcd(disc(fg),n) = 1, we have that gcd(Fk(x),Gk(x)) = 1 in Fp[x]for each p|n. By Proposition 3.4, gcmd(Fk(x),Gk(x)) = 1 in (Z/nZ)[x]. Therefore Fk(x)A1(x)+Gk(x)A2(x) ≡ 1modn for some A1(x)andA2(x)inZ[x]. Also, nk x − x ≡ B1(x)Fk (x) ≡ B2(x)Gk(x), for some B1(x)andB2(x)inZ[x], by the definitions of Fk(x)andGk(x). Thus Fk(x)B1(x) ≡ Gk(x)B2(x)modn.Mul- tiplying by A1(x)givesFk(x)A1(x)B1(x) ≡ Gk(x)A1(x)B2(x). If we substitute for Fk(x)A1(x), we get (1 − Gk(x)A2(x))B1(x) ≡ Gk(x)A1(x)B2(x), or B1(x) ≡ nk Gk(x)[A2(x)B1(x)+A1(x)B2(x)]. Hence Gk(x)|B1(x), and Fk(x)Gk(x)|x − x. Thus Fk(x)Gk(x)|Hk(x). We have, by the definitions of Fk(x)andGk(x), that nk Fk(x) ≡ r1(x)(x − x)+s1(x)fk−1(x) and nk Gk(x) ≡ r2(x)(x − x)+s2(x)gk−1(x),

for some polynomials r1(x), r2(x), s1(x), and s2(x). Multiplying these two congru- ences together, we get nk Fk(x)Gk(x) ≡ r3(x)(x − x)+s1(x)s2(x)hk−1(x), nk where r3(x)=r1(x)r2(x)(x −x)+r1(x)s2(x)gk−1(x)+r2(x)s1(x)fk−1(x). There- fore, Hk(x)=Fk(x)Gk(x). Now hk(x)=hk−1(x)/Hk−1(x), so by the inductive hypothesis,

hk(x)=fk−1(x)gk−1(x)/(Fk−1(x)Gk−1(x)) = fk(x)gk(x).

Each of the gcmds in the Factorization Step exists, and hdeg(fg)(x)=1.Thusn passes the Factorization Step.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 884 JON GRANTHAM

Since Hi(x)=Fi(x)Gi(x), and n passes the Frobenius Step for f(x)andg(x), n Hi(x)|Hi(x ). Thus n passes the Frobenius Step for h(x). Let Sf and Sg be the values of S computed in the Jacobi Step for f(x)andg(x), respectively. Then S = Sf + Sg. So it suﬃces to show that disc(fg) disc(f) disc(g) = . n n n To show this equality, it suﬃces to show that disc(fg)=disc(f)disc(g)`2,where ` ∈ Z. Let α1,...,αj be theQ roots of f(x)andαj+1,...,αd beQ the roots of g(x), all Q¯ − 0 2 − 0 2 in Q.Thendisc(fg)= ij.Thus σ must only rearrange terms in the product, and σ(`)=`.Thus disc(fg) disc(f) disc(g) = , n n n n passes the Jacobi Step, and n is a Frobenius pseudoprime with respect to f(x)g(x).

The converse to Theorem 4.6 is true for the product of two linear polynomials, as Theorems 4.1 and 4.5 show. It is not, however, true in general. If f(x)= (x − 1341)(x − 513)(x − 545), then 1537 is a Frobenius pseudoprime with respect to f(x), but it is not a pseudoprime to any of the bases 1341, 513, or 545. This example appears in [2] and indicates the possible usefulness of the quadratic forms test contained therein. The examples produced in that paper, however, all involve polynomials with relatively large discriminant compared to the pseudoprimes. Corollary 4.7. If n is a Carmichael number, f(x) ∈ Z[x] is monic, f(x) factors into linear factors mod n and (n, f(0)∆) = 1,thenn is a Frobenius pseudoprime with respect to f(x). Proof. Apply Theorem 4.1 and Theorem 4.6.

Lemma 4.8. Let m, n be positive integers, and let f(x),g(x),r(x) ∈ Z[x].If f(r(x)) ≡ 0mod(n, f(x)) and xm ≡ g(x)mod(n, f(x)),thenr(x)m ≡ g(r(x)) mod (n, f(x)). Proof. xm ≡ g(x)+f(x)h(x)modn,forsomeh(x) ∈ Z[x]. Since x is an indetermi- nate, r(x)m ≡ g(r(x))+f(r(x))h(r(x)) mod n. Because f(r(x)) ≡ 0mod(n, f(x)), we have r(x)m ≡ g(r(x)) mod (n, f(x)).

Theorem 4.9. If f(x)=x2 − Px+ Q ∈ Z[x],andn is a Frobenius pseudoprime with respect to f(x),thenn is a Lucas pseudoprime with parameters (P, Q).

Proof. Note that S = 0 or 1. ∆ n ≡ If n = 1, then we must have S =0,sox x mod (n, f(x)). Since Q is invertible mod n, x is invertible mod (n, f(x)). Thus xn−1 ≡ 1. By Lemma 4.8, (P − x)n−1 ≡ 1, since f(P − x) ≡ 0mod(n, f(x)).

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use FROBENIUS PSEUDOPRIMES 885

The two roots of f(x)inZ[x]/(f(x)) are x and P − x,and(x − (P − x))2 ≡ P 2 − 4Q mod f(x). Since n is coprime to the discriminant P 2 − 4Q, the diﬀerence of the two roots is invertible. Thus xn−1 − (P − x)n−1 1 − 1 U − ≡ ≡ =0mod(n, f(x)). n 1 x − (P − x) 2x − P ∆ − n 6≡ If n = 1, then we must have S =1,sox x mod (n, f(x)). We cannot have xn ≡ x mod (pk,f(x)) for pk|n, since then xn − x ≡ 0mod(pk,f(x)), and the gcmd in the Factorization Step would not exist. Further, this shows that f(x)is irreducible mod p. Because p - ∆, there are only 2 roots to f(x)mod(pk,f(x)), by Lemma 4.2. Since they are known to be x and P −x,wemusthavexn ≡ P −x mod (pk,f(x)) for each prime power pk|n, by the Frobenius Step. Since f(x) is monic, the congruence must hold mod (n, f(x)) by the Chinese Remainder Theorem. By Lemma 4.8, (P − x)n ≡ x mod (n, f(x)), so xn+1 − (P − x)n+1 x(P − x) − (P − x)x U ≡ ≡ =0. n+1 2x − P 2x − P

Note that the Frobenius test is in fact stronger than the Lucas test. For example, 323 is the first Lucas pseudoprime with respect to the Fibonacci sequence. If we 323 2 compute x − x mod (323,x − x − 1), we get −1. So F1(x) = 1. If we compute 3232 2 2 x −x mod (323,x −x−1), we get 0. So F2(x)=x −x−1andf2(x) = 1. So 323 5 passes the Factorization Step. Note that it also passes the Jacobi Step, since 323 = −1. But it fails the Frobenius Step, because x323 ≡ x − 1 mod (323,x2 − x − 1), and F2(x − 1) = −2x + 2. The first Frobenius pseudoprime with respect to the Fibonacci polynomial x2 − x − 1 is 5777. Theorem 4.10. If f(x)=x3 −rx2 +sx−1, then any Frobenius pseudoprime n with respect to f(x) is also a Perrin pseudoprime. In particular, if F1(x)=f(x),thenn has an S-signature, if F3(x)=f(x),thenn has an I-signature, and if deg(F1)=1 and deg(F2)=2,thenn has a Q-signature. Proof. The idea behind this proof is that relationships between nth powers of the roots determine the signature, and the necessary relationships are guaranteed to hold because n passes the Frobenius Probable Prime Test. To this end, we use Lemma 2 of [2]. Let K be the splitting field of f(x). Let α1, α2 and α3 be the three roots of f(x)inK. Lemma 2 says that n has a Q-signature if for each prime power pk|n,andforeachprimeidealp of K with p|p,wehave n ≡ n ≡ n ≡ k α1 α1, α2 α3,andα3 α2 mod p (or some other permutation of the roots of order 2.) k If deg(F1) = 1 and deg(F2)=2,thenwemusthavef(x) ≡ F1(x)F2(x)modp . So f(αi)=0≡ F1(αi)F2(αi)fori =1, 2, 3. Because F1(x)islinearithasexactly k one root mod p . Therefore, one of the roots (say α1) is a root of F1(x)andthe other two are roots of F2(x). n k For α1,wehavex ≡ x mod (p ,F1(x)). But we must have F1(x) ≡ x − k n ≡ k k α1 mod p ,soα1 α1 mod p , and hence for every prime ideal power dividing p . n k n We have x 6≡ x mod (p ,F2(x)), but F2(x ) ≡ 0. Since there are only two roots k n ≡ k n ≡ of F2(x)modp ,wemusthaveα2 α3 mod p , and similarly α3 α2. The proofs of the S and I cases are similar.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 886 JON GRANTHAM

Theorem 4.11. Let f(x) ∈ Z[x] be a monic, squarefree polynomial. Let β1,...,βd k ··· k be its roots, and let Vk = β1 + +βd .Ifn is a Frobenius pseudoprime with respect to f(x),thenn is a pseudoprime with respect to V ,inthesenseof[13], Section 4. Proof. The theorem follows directly from Theorem 2 of [13]. Theorem 4.12. Let f(x) be a monic, squarefree polynomial. If n is a Frobenius pseudoprime with respect to f(x),thenn is a pseudoprime in the sense of Szekeres. Proof. It suffices to show that the map x 7→ xn permutes the roots of f(x). This fact follows from the Frobenius Step. Having presented the definition of Frobenius pseudoprime as a generalization of other definitions of pseudoprime, we would like to use the above theorems to produce a theorem that holds for all of these types of pseudoprimes. Conjecture 4.13. For any monic, squarefree polynomial f(x) ∈ Z[x], there are infinitely many Frobenius pseudoprimes with respect to f(x). In fact, for any >0, there exists a T (depending on f(x)and) such that if t>T,thereareat least t1− Frobenius pseudoprimes less than t. It is straightforward to prove the first assertion for many polynomials (those which split into linear and quadratic factors over Z). The proof uses Corollary 4.7 and an extension of results in [3] and [4]. It is possible to prove this statement for all polynomials, but the proof requires results about L-functions over number fields. The proof is given in [12]. The second assertion seems considerably more difficult to prove; for a discussion of impediments, see [3].

5. Strong Frobenius pseudoprimes

We can strengthenQ the test developed in the previous section by using the identity ni−1 − s − r 2j−1 s i − r x 1=(x 1) j=1(x +1)(wheren 1=2 s) to further factor Fi(x). i Theorem 5.1. Let f(x), d, ∆, p,andFi(x) be as in Theorem 3.1. Let p − 1= r s − ≤ ≤ 2 s with s odd. Let Fi,0(x)=gcd(Q Fi(x),x 1).For1 j r,letFi,j (x)= 2j−1 s r gcd(Fi(x),x +1).Then j=0 Fi,j (x)=Fi(x),and,foreachj, the degree of Fi,j (x) is divisible by i. Q pi−1 − s − r 2j−1 s Proof. We have the identity x 1=(x 1) j=1(x +1).Theresultfol- lows since the factors in the product are pairwise coprime, and since f(0) =0.6 Deﬁnition. Let f(x) ∈ Z[x] be a monic polynomial of degree d with discriminant ∆. An odd integer n with (n, f(0)∆) = 1 is said to pass the strong Frobenius probable prime test with respect to f(x)ifitisaFrobeniusprobableprimeandis declared to be a probable prime by the following additional step. (Such an integer will be called a strong Frobenius probable prime with respect to f(x).) Square Root Step. For each 1 ≤ i ≤ d,letni − 1=2rs with r odd. Let s − 2j−1 s Fi,0(x)=gcmd(Q Fi(x),x 1). Let Fi,j (x)=gcmd(Fi(x),x +1). Thenif 6 r Fi(x) = j=0 Fi,j (x), if for some j, the degree of Fi,j (x) is not a multiple of i,or if one of the gcmds fails to exist, declare n to be composite and terminate. If n is not declared to be composite by the Frobenius probable prime test or the Square Root Step, declare n to be a strong Frobenius probable prime.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use FROBENIUS PSEUDOPRIMES 887

Corollary 5.2. Every odd prime p is a strong Frobenius probable prime with respect to any monic polynomial f(x) such that p does not divide f(0)∆. Definition. A strong Frobenius pseudoprime with respect to a monic polynomial f(x) ∈ Z[x] is a composite strong Frobenius probable prime with respect to f(x). Clearly every strong Frobenius pseudoprime with respect to f(x)isaFrobenius pseudoprime with respect to f(x). Theorem 5.3. Anumbern with (n, 2a)=1is a strong Frobenius pseudoprime with respect to x − a if and only if n is a strong pseudoprime to the base a. Proof. From Theorem 3.1 it suffices to show that a pseudoprime to the base a is strong if and only if it passes the Square Root Step with respect to x − a. r−j In order to pass the Square Root Step, we need to have x − a|x2 s +1 forsome r−j 1 ≤ j ≤ r or x − a|xs − 1. The first statement is equivalent to a2 s ≡−1modn and the second is equivalent to as ≡ 1modn. These are exactly the conditions for strong pseudoprimality. So n passes the Square Root Step if and only if it is a strong pseudoprime to the base a. Corollary 5.4. Every strong Frobenius pseudoprime with respect to x − a is an Euler pseudoprime to the base a. The situation with strong Lucas pseudoprimes is a bit more complicated, as the polynomial needs to be changed. Theorem 5.5. Let f(x)=x2 − Px+ Q.Letn be a integer with (n, 2∆Q)=1. Let Q0 be an integer with Q0 ≡ Q−1 mod n.Ifn is a strong Frobenius pseudoprime with respect to X2 +(2+b2c0)X +1,thenn is a strong Lucas pseudoprime with parameters (P, Q).

Proof. Let Uk = Uk(P, Q)andVk = Vk(P, Q). Note that Uk ≡ 0modn if and only k if xk − (P − x)k ≡ 0mod(n, x2 − Px+ Q) if and only if P −x ≡ 1. Similarly, x ≡ P −x k ≡− − 0 0 2 − ≡ Vk 0 if and only if x 1. Let X = Q Px + Q P 1. Then X (P −x)/x mod (n, x2 −Px+Q)andX2 +(2−P 2Q0)X +1 = (PQ0)2(x2 −Px+Q). k So, by a change of variables, we see that Uk ≡ 0modn if and only if X ≡ 2 2 0 1mod(n, X +(2−P Q )X +1). The same statement holds for Vk, with 1 replaced 2 2 0 k by −1. So Uk ≡ 0modn if and only if X +(2− P Q )X + 1 divides X − 1. Using this statement, the fact that n is a strong Lucas pseudoprime with parameters (P, Q) follows immediately from the Square Root Step. If we insist on keeping the same polynomial, a weaker result can be proven. Theorem 5.6. Every strong Frobenius pseudoprime n with respect to f(x)=x2 − P 2−4Q − Px+ Q such that n = 1 is a strong Lucas pseudoprime with parameters (P, Q). R 2 r Proof. Let Uk = Uk(P, Q)andVk = Vk(P, Q). Write n +1 = 2 S and n − 1=2 s with s and S odd. Note that 2rs =(n − 1)2RS,soR0. r−R r−j This means that either f(x)|x2 s − 1orf(x)|x2 s +1 forsomej such that R ≥ j>0.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 888 JON GRANTHAM

In the first case, we observe that 2r−Rs =(n − 1)S = nS − S.SoxnS−S ≡ 1mod(n, f(x)), or xnS ≡ xS .Butweknowthatxn ≡ (P − x), so (P − x)S ≡ xS. S S Thus US ≡ (x − (P − x) )/(x − (P − x)) ≡ 0mod(n, f(x)) and thus mod n. In the second case, we use the formula 2r−js =(n − 1)2R−jS = n2R−jS − r−j R−j R−j 2R−jS.Butx2 s ≡−1mod(n, f(x)), so x2 S ≡−xn2 S. This gives us that R−j R−j x2 S ≡−(P − x)2 S. m m Since Vm ≡ x +(P − x) , V2R−j S ≡ 0modn. We conclude that n is a strong Lucas pseudoprime. b2+4c − Theorem 5.6 would not be true without the restriction that n = 1. For example, 294409 is a strong Frobenius pseudoprime with respect to x2 − 1185x + 56437, but it is not a strong Lucas pseudoprime with parameters (1185, 56437). Theorem 5.7. If n is a strong Frobenius pseudoprime with respect to x2 − bx +1, then n is an extra strong Lucas pseudoprime to the base b. b2+4 − Proof. Let Uk = Uk(b, 1) and Vk = Vk(b, 1). Assume that n = 1. Let R, r, S, s be as in the proof of Theorem 5.6. Observe that xn+1 ≡ x(b − x) ≡ 1. 2r−j s If f(x)|x +1forsomej such that r ≥ j>0, then we have that V2R−j s ≡ 0, as in Theorem 5.6. n+1 n+1 If V2r−1s ≡ 0, we have that V n+1 ≡ 0, so x 2 +(b − x) 2 ≡ 0. Since (b − x) ≡ 2 x−1, we deduce xn+1 ≡−1, a contradiction. This establishes that j>1, as the definition of extra strong Lucas pseudoprime requires. If f(x)|xs − 1, this means that xs ≡ 1mod(n, f(x)). s = S(n − 1)/2r−R.So s S ≡ ≡ S − S ≡ gcd( S ,n+ 1) = 1. Therefore x 1, and VS x +(b x) 1 + 1 = 2, and US ≡ 0asabove. s Similarly, if f(x)|x +1,wehaveVS ≡−2andUS ≡ 0. r−j The only remaining case is f(x)|x2 s +1forsomej such that r>j≥ R +1. ≡ ≤ − r−j n−1 r>R+ 1 only if n 1mod4.ThenR =1,andj r 1. So 2 s =(n +1) 2j , − 2r−j s (n+1) n 1 2r−j s and x ≡ x 2j ≡ 1. This contradicts the assumption that f(x)|x +1. The proof for the case where the Jacobi symbol is 1 is similar. 6. Carmichael-Frobenius numbers A Carmichael number is to be a number which is a (Fermat) pseudoprime to every base. With that in mind, we make the following definition. Definition. Let K be a number field and n an odd composite with (n, disc(K)) = 1. If, for each polynomial f(x) ∈ Z[x] with all its roots in K and (n, f(0) disc(f)) = 1, n is a Frobenius pseudoprime with respect to f(x), then n is a Carmichael- Frobenius number with respect to K. Note that n is a Carmichael number if and only if it is a Carmichael-Frobenius number with respect to Q. Also, if n is a Carmichael-Frobenius number with respect to K, then it is also a Carmichael-Frobenius number with respect to any subfield of K. In particular, a Carmichael-Frobenius number with respect to K is also a Carmichael number. Proposition 6.1. Let n be a Carmichael number, and let K be a number field with (n, disc(K)) = 1. If every prime p|n splits completely in K,thenn is a Carmichael- Frobenius number with respect to K.

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use FROBENIUS PSEUDOPRIMES 889

Proof. Let f(x) ∈ Z[x] be a polynomial with all of its roots in K such that gcd(n, f(0) disc(f)) = 1. For each p|n, f(x) must split into linear factors mod p,sincep splits completely in K.Sincen is a Carmichael number, it is squarefree, so f(x) splits into linear factors mod n. The proposition follows from Corollary 4.7.

These Carmichael-Frobenius numbers have F1(x)=f(x) in the Factorization Step for each f(x) with all of its roots in K. In [12], we will show that there are infinitely many of them for each number field K. Other types of Carmichael- Frobenius numbers are harder to come by. The methods of [20] can be used to give heuristics suggesting that there are infinitely many Carmichael-Frobenius numbers with respect to K with F2(x)=f(x) for each irreducible f(x) with all of its roots in K. We also have the following proposition, which is similar to Proposition 6 of [13]. Proposition 6.2. Let f(x) ∈ Z[x] be a monic, irreducible polynomial of degree k with splitting field K.Letn be a Carmichael-Frobenius number with respect to K. If Fk(x)=f(x) in the Factorization Step of the Frobenius Probable Prime Test with respect to f(x),thenn has at least k +2 prime factors.

Proof. Let p be a prime factor of n,andletfp(x) be an irreducible factor of f(x) of maximal degree in Fp[x]. Let Ap = Fp[x]/(fp(x)). We have that Ap = Fpr for some r ≥ 1. We will show that r = k.Sincexn is a root of f(x)inZ[x]/(n, f(x)), it is a n pt root in Ap, and we must have x = x in Ap,forsomet>0. We thus have nr ptr nr x ≡ x ≡ x in Ap.Thusfp(x)| gcd(f(x),x −x)inFp[x]. Since all gcmds were 0 computable, fp(x)|Fr0 (x), for some r ≤ r. But since Fk(x)=f(x), we must have r0 = k, and thus r = k. k Let α be a root of f(x)inK.Thenforsomegp(x) ∈ Z[x], gp(α) has order p − 1 ∗ ∈ Z in Ap. By the Chinese Remainder Theorem, there is a monic polynomial g(x) [x] such that g(x) ≡ gp(x)modp for each p|n.Leth(x) be the minimal polynomial of g(α)overQ.Thenh(x) has all of its roots in K.Sinceh(x), considered mod p,is the minimal polynomial for gp(α), we have p - h(0) disc(h)foreachp|n, and thus gcd(n, h(0) disc(h)) = 1. n p p2 pk−1 pk Thus h(x )=0inAp. But the roots of h(x)inAp are x ,x ,...,x ,x . Then n ≡ pt mod (pk−1), for some 1 ≤ t ≤ r. This congruence gives pk−1|n−pt,for ≤ ≤ k − | n − t−1 some 1 t k. Therefore, p 1 p p .Sincen is a Carmichael number, it is not t n − t−1 k − ≤ n − t−1 ≤ n − a prime power, and n>p, which implies p p > 0. So p 1 p p p 1; k ≤ n 6 k+1 k n | k n k+1 thus p p .Sincen = p , p < p . Thus for all p n we have p < p ,orp

7. Implementation issues Performing the Frobenius test as stated on quadratic polynomials would seem to 2 require computing xn . As the theorem below shows, there is an equivalent version of the test that merely requires computing xn.

Theorem 7.1. Let f(x)= x2 − bx − c.Let∆=b2 +4c.Letn be an integer ∆ n ≡ with (n, 2f(0)∆) = 1.If n =1and x x mod (n, f(x)),thenn is a Frobenius

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use 890 JON GRANTHAM ∆ − n ≡ − probable prime with respect to f(x).If n = 1 and x b x mod (n, f(x)), then n is a Frobenius probable prime with respect to f(x). ∆ n − Proof. If n = 1, then the fact that f(x) divides x x veriﬁes both the Factor- ization Step and the Jacobi Step. The Frobenius Step is trivial. ∆ − n ≡ − − n ≡ Suppose n = 1, and x b x mod (n, f(x)). By Lemma 4.8, (b x) 2 x mod (n, f(x)), and so xn ≡ x mod (n, f(x))). Note that 4f(b/2) = −∆is coprime to n,soxn − x ≡ b − 2x has gcmd 1 with f(x)in(Z/nZ)[x]. Thus F1(x)=1andF2(x)=f(x), so n passes the Factorization and Jacobi steps. Since f(b − x) ≡ f(x) ≡ 0mod(n, f(x)), it passes the Frobenius Step.

We will leave a proof of the running time and a description of how to speed the strong test to [11]. Note that Lemma 4.8 can also be used to speed up the test with any degree polynomial. Also, when computing gcmd(xn − x, f(x)), the ﬁrst step should be to compute xn mod f(x). Then the Euclidean algorithm can be applied to two polynomials whose degree is at most that of f(x). Although the Square Root Step is listed as a separate step, in practice it would be integrated into the Factorization Step. A description of how to do this in the quadratic case is given in [11].

8. A challenge Pomerance, Selfridge and Wagstaff offer $620 for a number 2 or 3 mod 5 that is a pseudoprime to the base 2 and also a Lucas pseudoprime with respect to the Fibonacci sequence, or for a proof that none exists [22], [14]. In this spirit, I have offered $6.20 for a Frobenius pseudoprime with respect to x2 +5x+5 that is congruent to 2 or 3 mod 5. This polynomial is used instead of the Fibonacci polynomial because x2(p+1) ≡ 1mod(p, x2 − x − 1), if p is 2 or 3 mod 5. With x2 +5x + 5, there is no similar guarantee x will have small order mod p. The lower monetary figure is a reflection of my financial status at the time of the offer, not of any lower confidence level. Heuristics [20] suggest that an example should exist for the PSW test, and these heuristics can be modified to suggest that it should also be possible to find one for the above Frobenius test. I believe that the two problems are equally challenging. A justification for my belief is that an n that passes my challenge must be a pseudoprime to the base 5 (by Theorem 4.3) as well as a Lucas pseudoprime with parameters (−5, −5) (by Theorem 4.9).

References

1. W. W. Adams, Characterizing pseudoprimes for third-order linear recurrence sequences, Math. Comp. 48 (1987), 1–15. MR 87k:11014 2. W. W. Adams and D. Shanks, Strong primality tests that are not sufficient,Math.Comp.39 (1982), 255–300. MR 84c:10007 3. W. R. Alford, Andrew Granville and Carl Pomerance, There are infinitely many Carmichael numbers, Annals of Mathematics 140 (1994), 703–722. MR 95k:11114 4. W. R. Alford, Andrew Granville, and Carl Pomerance, On the difficulty of finding reliable witnesses, Algorithmic Number Theory (L. M. Adleman and M.-D. Huang, eds.), Lecture Notes in Comput. Sci., Springer-Verlag, New York, 1994, pp. 1–16. MR 96d:11136 5. S. Arno, A note on Perrin pseudoprimes,Math.Comp.56 (1991), 371–376. MR 91k:11011

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use FROBENIUS PSEUDOPRIMES 891

6. A. O. L. Atkin, Intelligent Primality Test Offer, Computational Perspectives on Number Theory (D. A. Buell and J. T. Teitelbaum, eds.), Proceedings of a Conference in Honor of A. O. L. Atkin, International Press, 1998, pp. 1–11. MR 98k:11183 7. R. Baillie and S. S. Wagstaff, Jr., Lucas pseudoprimes,Math.Comp.35 (1980), 1391-1417. MR 81j:10005 8. D. M. Gordon, Pseudoprimes on elliptic curves,Théorie des nombres (J. M. DeKoninck and C. Levesque, eds.), de Gruyter, Berlin, 1989, pp. 290–305. MR 91g:11158 9. D. M. Gordon and C. Pomerance, The distribution of Lucas and elliptic pseudoprimes,Math. Comp. 57 (1991), 825–838; 60 (1993), 877. MR 92h:11081; MR 93h:11108 10. J. Grantham, Frobenius Pseudoprimes, dissertation, University of Georgia, 1997. 11. J. Grantham, A Probable Prime Test With High Confidence, J. Number Theory 72 (1998), 32–47. CMP 98:17 12. J. Grantham, There Are Infinitely Many Perrin Pseudoprimes. 13. S. Gurak, Pseudoprimes for higher-order linear recurrence sequences,Math.Comp.55 (1990), 783–813. MR 91a:11067 14. R. K. Guy, Unsolved Problems in Number Theory, Second Edition, Springer-Verlag, New York, 1994, p. 28. MR 96e:11002 15. N. Jacobson, Basic Algebra I, Second Edition, W.H. Freeman, New York, 1985, p. 258. MR 86d:00001 16. G. C. Kurtz, D. Shanks, and H. C. Williams, Fast primality tests for numbers less than 50·109, Math. Comp. 46 (1986), 691–701. MR 87d:11101 17. H. W. Lenstra, Jr., Primality testing, Computational Methods in Number Theory (H. W. Lenstra, Jr. and R. Tijdeman, eds.), Part I, vol. 154, Math. Centre Tract, Amsterdam, 1982, pp. 55–77. MR 85g:11117 18. Z. Mo and J. P. Jones, A new primality test using Lucas sequences,preprint. 19. L. Monier, Evaluation and comparison of two efficient probabilistic primality testing algorithms, Theoretical Computer Science 12 (1980), 97-108. MR 82a:68078 20. C. Pomerance, Are there counter-examples to the Baillie – PSW primality test?,DopoLe Parole aangeboden aan Dr. A. K. Lenstra (H. W. Lenstra, Jr., J. K. Lenstra and P. Van Emde Boas, eds.), Amsterdam, 1984. 21. C. Pomerance, On the distribution of pseudoprimes,Math.Comp.37 (1981), 587–593. MR 83k:10009 22. C. Pomerance, J. L. Selfridge and S. S. Wagstaff, Jr., The pseudoprimes to 25 · 109,Math. Comp. 35 (1980), 1003-1026. MR 82g:10030 23. M. O. Rabin, Probabilistic algorithm for testing primality, J. Number Theory 12 (1980), 128–138. MR 81f:10003 24. R. M. Robinson, The converse of Fermat’s theorem, Amer. Math. Monthly 64 (1957), 703– 710. MR 20:4520 25. A. Rotkiewicz, On the pseudoprimes of the form ax+b with respect to the sequence of Lehmer, Bull. Acad. Polon. Sci. Sér. Sci. Math. Astronom. Phys. 20 (1972), 349–354. MR 46:8948 26. A. Rotkiewicz, On Euler Lehmer pseudoprimes and Strong Lehmer pseudoprimes with parameters L, Q in arithmetic progressions,Math.Comp.39 (1982), 239–247. MR 83k:10004 27. G. Szekeres, Higher order pseudoprimes in primality testing, Combinatorics, Paul Erd˝os is eighty, Bolyai Soc. Math. Stud., vol. 2, János Bolyai Math Soc., Budapest, 1996, pp. 451–458. MR 97c:11113

Institute for Defense Analyses, Center for Computing Sciences, 17100 Science Drive, Bowie, MD 20715 E-mail address: [email protected]

License or copyright restrictions may apply to redistribution; see https://www.ams.org/journal-terms-of-use